Encryption in Transit
All connections to ConvertFly are encrypted using TLS 1.3. This applies to the web application, the API, and all internal service-to-service communication. We enforce HTTPS everywhere - plain HTTP requests are automatically redirected.
24-Hour Auto-Delete
All uploaded and converted files are automatically deleted within 24 hours of creation. Import files are removed immediately after conversion completes. We do not keep copies of your files beyond this window - ever.
No Permanent Storage
ConvertFly is not a file hosting service. We process your files, deliver the results, and clean up. No backups, no archives, no long-term retention. Your files pass through - they do not stay.
HMAC-SHA256 Webhook Signatures
Every webhook notification sent by ConvertFly is signed with HMAC-SHA256 using your unique webhook secret. This allows you to verify that incoming requests genuinely originate from ConvertFly and have not been tampered with in transit.
SOC 2 Compliance Roadmap
We are actively working toward SOC 2 Type II certification. Our current security controls and practices are aligned with SOC 2 Trust Service Criteria, and we expect to complete the audit process in 2027. Contact us if you need a security questionnaire completed in the meantime.
Data Processing in the EU
File storage and processing happen in Amazon S3 eu-central-1 (Frankfurt). Your files never leave the European Union during processing. Where other services are involved (authentication, payments), we use Standard Contractual Clauses (SCCs) to ensure adequate protection. See our Privacy Policy and DPA for full details.
Have security questions?
We are happy to answer questions, complete security questionnaires, or discuss our practices in detail.
Contact Us